And there I thought I knew Wordpress well. It now seems that update_option() auto-escapes code. If I want to save some Javascript or HTML code in an option, this behavior renders the code unusable.
I refuse to do a str_replace on the returned value to filter out every backslash. There has to be a better way.
Here's the PHP for the text box to enter some code:
$option = unserialize(get_option('option'));
<textarea name="option[box]"><?php echo $option['box']; ?></textarea>
This is what happens after submitting the form (in essence):
update_option('option', serialize($_POST));
Any ideas?
Edit: I now got it to work by using PHP's stripslashes() where the script has to be rendered, and htmlentities(stripslashes()) in the text box to display the stored code. While this does the job, I'd still like to know if there is a better solution.
It now seems that update_option() auto-escapes code.
It only sanitizes the value for database entry. You'll find the real troublemaker is around line 750 in wp-settings.php, and the WP function add_magic_quotes().
Yep, you read that right, add magic quotes!
For some reason, WordPress decided to enforce magic quotes, so you'll always need to stripslashes on GET and POST when writing plugins and the like.
That's true #TheDeadMedic stripslashes must be used like;
echo stripslashes(get_option( 'option' ));
Related
pretty new to Mysql, HTML and PHP and I can't seem to find much information on this trouble i'm having.
I Am making my own rough project manager type thing and I have a form that lets me change the contents of each individual change log, the problem I have however is that when I load the data in to the text area it start with a big indentation at the start, like 3-4 tabs inwards. I would attach an image but I need at least 10 rep to do that.
Basically, it feels like the data in the database has tabs or something at the start of it, but when I go to look in PHPmyadmin at the field, it just looks like it should do, not tabbed at all.
I've tried using strip_tags() but I think it only works on visible tags.
Does any1 know how to get rid of this or what is causing the problem?
I'll be following this question closely to see if anybody can provide an answer because I'm stumped.
Thanks,
Try to echo your php code with no blanks :
Possible tabs, bad example :
<textarea>
<?php echo $tabContent; ?>
</textarea>
Avoiding tabs :
<textarea><?php echo $tabContent; ?></textarea>
You can also try to trim your php content like that :
<textarea><?php echo trim($tabContent); ?></textarea>
Try doing var_dump and look how long your queried string is.
If it is as long as in your database you problem is within the textarea.
Is there any css you use with textarea?
I have an input which allows users to enter text, which is then sent using PHP to another page, where it is stored in a database. I have done some simple validation ( checking if the input wasn't empty), and that works pretty well. However, I found out that I can type in HTML tags, such as
<p>
and it bypasses that validation and also messes up the input.
How can I check if the input contained HTML tags, and if so, return an error?
You can simply use htmlspecialchars, or strip_tags before inserting into database.
You can also use mysqli_real_escape_string or PDO::quote to secure strings
To check try this:
if( preg_match('#^<.>.+</.>$#', $your_value) ){
echo "NOT GOOD"; // and some error too
}
You could do this:
<input type='text' pattern='[a-zA-Z0-9]+'>
That ensures only letters and numbers can go in and wont submit if anything else is inside the input.
However, this is only good client side and will only work for IE9+
This is also not the best method for validation if someone knows what they're doing. All they have to do is go into the source code to take out the pattern attribute, but for those who don't know, it will be fine.
For the PHP, you can use strip_tags(). Found here
I'm looking for something that Is really hard for me to do.. I really tried to search all over the net for Solution, But I couldn't seem to find any. I also tried doing this for hours.
What I'm doing: Making a theme for PHPBB2, Installed a MOD that can include PHP in themes.
What is the problem: When I'm doing {} tags in php, It just can't echo those tags.
Let's say I have a function that creates a Table for me, like that:
CreateMyTable(Name,Size,Color);
I put in the function those strings:
CreateMyTable("{FORUM_NAME}",1000,red);
The title stays blank, I actually want it to echo {FORUM_NAME}.
How can I do this?
P.S: I can't do this
CreateMyTable(?>{FORUM_NAME}<?php , 1000, red);
It's not going to work becuase <? = <!-- PHP --> , ?> = <!-- ENDPHP -->.
Thanks for your help :)
If you look in the PHPbb2 template class, you'll find that the template is simply an evaluated set of PHP using the eval() function. You can either print the contents of the PHP before it is parsed using eval() and then use the variable name that the template gives, IE something like (which may not work depending how your template is setup):
CreateMyTable(((isset($this->_tpldata['.'][0]['FORUM_NAME'])) ? $this->_tpldata['.'][0]['FORUM_NAME'] : '' ),1000,randomcolor());
Please note, in order to do it similar to the way above you'd actually have to insert this into your template class.
An much better solution is to avoid using the mod that allows PHP in templates and use JavaScript in the templates to create the function, then print a call to that JavaScript function.
This will work:
CreateMyTable(FORUM_NAME,1000,red);
I also noticed that red is used without quotes - is this also a constant? If it's a variable it needs to have a $ in front of it. If it's a string it should be between quotes.
CreateMyTable(FORUM_NAME,1000,"red");
I've a problem of character encoding in php, so this's the php code:
n_event=$_GET['ndlann'];
$nom_complet=htmlentities(stripslashes($_POST['nom']));
$email_comment=htmlentities(stripslashes($_POST['email']));
$titre_comment=htmlentities(stripslashes($_POST['titre']));
$texte_comment=htmlentities(stripslashes(nl2br($_POST['commentaire'])));
$pays_comment=$_POST['pays'];
$date_ajout=date('Y/m/d');
Data will be added in a database table , you see that this data comes from a comments form,
so when the user enters some comments with orient languages carachters (arabic,hebrew...etc), the input data will change to something like :
Ø´Ù�را عÙ�Ù� اÙ�Ù�Ù�ضÙ�Ø
I tried to delete the htmlentities method and that works fine , but does start another problem of comments form security (js scripts will be executed)
What can I do with this situation?
and thanks
Do not use htmlentities() ever.
This function has been obsoleted long time ago.
Use htmlspecialchars() instead.
you have also bunch of nonsense in your code
doing htmlentities(nl2br(*)) has no sense.
make stripslashes conditional, only if magic quotes are set on.
there is a possible problem with pays field.
I am also afraid that you're taking htmlentities as some sort of SQL escaing function. Am I right?
In my opinion, and according to the PHP doc, the accepted answer is not correct.
Nowhere it is written that this function has been deprecated.
If you set correctly the third argument of the function, called $encoding, it will solve your problem.
I hope this helps.
I have a form where a user types paragraphs into a text area and then it takes them to another page after they submit. How can I pass whatever they typed to the page after they submit? The text area might have linebreaks and if I use a query string to pass the data, it gives me an error. This is my current code to pass the field:
<?php
if(isset($_POST['form']))
{
$title = $_POST['title'];
$body = $_POST['body'];
header("SubmitForm.php?title=$title&body=$body");
?>
<html>
...html form...
It doesn't work when the text area has line breaks in it.
I would suggest installing a wysiwyg editor to make this easier for you, but i assume that would add some time for the learning curve.
The simplest tips I can give you is to set a CSS attribute for your textarea: white-space:pre so that when it gets submitted, all line breaks get sent as well.
On your server side, you would need to use the nl2br() function, so that when it gets saved on your DB or wherever you store them, all line breaks are converted to HTML breaks.
For your additional reference, I had a similar question like this last year.
You really shouldn't be putting anything that long in a query string in the first place. Look into using sessions to store data across pages instead.
(This is assuming I understood the question right)
urlencode the data in order to pass it via query string.